Bays Consulting has hit another milestone on its Information Security journey, as we recently received our ISO27001 Certification.
What started as a tick-box exercise for some contracts and frameworks, as we thought we were rather good at Information Security with our Cyber Essentials Plus certificate, quickly became one of the most valuable pieces of work I have done for the company.
The Standard requires you to put together an ‘Information Security Management System’ (ISMS), which starts at the beginning of looking at your whole set of assets, considering the risks, and then working out how to treat them. This for me quickly became the most terrifying part, and I likened it to picking up rocks to see what was underneath and discovering something I didn’t want to see wherever I turned.
Ransomware, disgruntled employees, people leaving their phones in pubs all became things I started worrying about more and more – but fortunately the ‘controls’ that ISO27001 suggests you consider in your ISMS lead you by the hand to consider the right ways to treat the risks.
We had a slightly unusual time as a ‘remote company with an office’ as a lot of the standard has been written assuming you are using on-premises hardware, rather than today’s more vogue cloud setups – but since we began the process there has been a refresh to the Standard which adapts the focus.
The whole process felt very ‘grown up’, as you design your own system and have a Stage 1 Audit which checks it is suitably designed on paper, and then you are given the opportunity to shoot yourself in the foot as they come back a few months later to check that you are doing what you yourself have said you will do.
Another very helpful element is the emphasis placed on continual improvement – we were told to think of achieving certification as the start of our journey, not the end. For example, we will be regularly observed to ensure we are still doing what we have said we would do, and that we are spotting issues and teething problems with the system and making it better. Tedious though this sounds, it has been quite the opposite as the system has scaled to suit our size as a small business – and thanks to regular things we said we would do we have been able to address issues and harden our information systems even further.
Ensuring everyone in the company takes an interest in the ISMS has been one of the trickier components, as it is a dry subject at best – albeit an important one. I hope (if anyone else from Bays ever reads my blogs they can tell me) the method we used of gently dripping it out bit by bit has worked well; Nathan Chamberlain, our dedicated Cyber Security intern, ran a brilliant phishing campaign, we put ISMS review into our project retro meetings, and I sprinkle bits of security into our weekly learning and development sessions.
Though a long process to get our certification, it has been very worthwhile; we started so we could get a tick in a box and continued because we saw how important it was, and have taken Bays from being good at Information Security to, hopefully, great.